JavaScript Security

7.

Security in Modern JavaScript Frameworks

7.1.

General Principles

7.1.1.

Built-in Security Features

7.1.1.1.

Automatic Output Encoding

7.1.1.2.

Template Injection Protections

7.1.1.3.

CSRF Protection

7.1.2.

Framework-Specific Vulnerabilities

7.1.2.1.

Misconfiguration Risks

7.1.2.2.

Unsafe Plugin Usage

7.1.2.3.

Version-Specific Issues

7.2.

7.2.1.

JSX and Auto-Encoding

7.2.1.1.

Preventing XSS by Default

7.2.1.2.

Expression Evaluation

7.2.2.

Dangers of dangerouslySetInnerHTML

7.2.2.1.

When and How to Use Safely

7.2.2.2.

Sanitization Requirements

7.2.3.

Server-Side Rendering (SSR) Security

7.2.3.1.

Data Hydration Risks

7.2.3.2.

Secure Data Serialization

7.2.3.3.

State Injection Attacks

7.2.4.

React-Specific Vulnerabilities

7.2.4.1.

Ref Callback Attacks

7.2.4.2.

Props Injection

7.3.

Angular Security

7.3.1.

Built-in Protections

7.3.1.1.

Sanitization Mechanisms

7.3.1.2.

Template Compiler Security

7.3.1.3.

Trusted Types Integration

7.3.2.

The bypassSecurityTrust Methods

7.3.2.1.

Risks and Use Cases

7.3.2.2.

Safe Usage Guidelines

7.3.2.3.

HTML Sanitization

7.3.3.

Angular-Specific Vulnerabilities

7.3.3.1.

Template Injection

7.3.3.2.

Expression Language Attacks

7.3.4.

Dependency Injection Security

7.3.4.1.

Provider Security

7.3.4.2.

Service Isolation

7.4.

Vue.js Security

7.4.1.

HTML Content vs. Text Content

7.4.1.1.

v-html Directive Risks

7.4.1.2.

Safe Use of Interpolation

7.4.2.

Potential XSS Vectors

7.4.2.1.

Template Injection

7.4.2.2.

Third-Party Plugin Risks

7.4.2.3.

Component Props Validation

7.4.3.

Vue-Specific Security Features

7.4.3.1.

Template Compilation

7.4.3.2.

Scoped Slots Security

7.5.

Node.js Security

7.5.1.

Server-Side JavaScript Risks

7.5.2.

Package Security

7.5.3.

Environment Variable Handling

7.5.4.

File System Access Control

Previous

6. Third-Party Code and Supply Chain Security

Go to top

Next

8. Advanced Topics